(From this month’s newsletter – with proper formatting applied)
We’ve talked about IAG 2007 from time to time in this space over the last year or so. Things got a bit more interesting last year when IAG 2007 SP2 was released because it was the first time you could actually get some real hands on experience with the product, using a virtual environment. Before then, the only way you could work with the IAG 2007 SSL VPN gateway was to get a loaner from a hardware IAG 2007 provider, or play around with it in a virtual lab.
While SP2 did open up the opportunity to check on what IAG 2007 had to offer, it really didn’t ramp up interest the way I thought it would. I think the primary issue was that the .vhd download didn’t really give people the experience they were expecting, and there were some limitations to its use. Nonetheless, there were a number of people who did get their appetites whetted by the IAG 2007 SP2 .vhd, and overall we can call this a good thing.
I liked IAG 2007, but I have to say that it isn’t the easiest product in the world to work with. There are a lot of moving parts, and a lot of those moving parts are hidden behind other parts or are buried under several layers of complexity that can cause you to pull your hair out. Indeed, if you wanted to get the most out of your IAG 2007 deployment, you really needed to hire an experienced consultant to give you anything other than a generic out of box experience.
With this as background, you’ll understand why I’m so excited by the recent release of the beta 2 version of the Microsoft Unified Access Gateway or UAG. UAG beta 2 is a public beta, which means you can download and install it and really kick the tires on this release. UAG is a major update to the IAG 2007 product and works much more like a native Microsoft application. You can install it like any other Microsoft product, and integrate it into your environment in a way similar to what you’re used to with ISA and TMG firewall installations.
What’s so hot about UAG?
Lots. UAG represents a major shift in Microsoft’s approach to remote access. The idea here is that what you really need is a central point of control and management for inbound connections to your network. This is more important than ever, since an increasing number of people are working from home, from hotels, from conference centers, from customer’s offices, and many other places that aren’t at the home office. You need a way to make connectivity transparent to all your users, so they can get the information they need regardless of their location or even the device they’re using. That’s the core of the UAG remote access philosophy.
While UAG stands for “Unified Access Gateway”, I’d like to think of it as the “Universal” Access Gateway, since it enables so many remote access scenarios into a single deployment, configuration and management solution. Why should you have to mess with multiple devices to support anytime, anywhere access for you users? You don’t need several different boxes or solutions with UAG. It’s your one-stop shop.
UAG is your remote access solution for the following scenarios:
- Terminal Services Gateway and Terminal Services RemoteApp. No need to deploy a second server or array for TSG and TS RemoteApp – use UAG’s easy to use wizard to get your TS deployment working in record time
- Reverse Web Proxy (Web SSL VPN) with exceptional application layer inspection through UAG’s advanced positive and negative logic filtering schemes. Built in application optimizers get you up and running with secure access to SharePoint, Exchange, Microsoft CRM, and non-Microsoft Web applications in no time.
- Endpoint detection either through NAP or UAG’s integrated endpoint detection facilities. Session cleanup policies can be based on the results of endpoint detection so that session cleanup and level of access, even on a per-application basis, is possible when connecting through the UAG Web portal.
- Secure Web Portal access supporting a wide array of authentication protocols for secure two-factor authentication prior to application access. Support for advanced authentication methods such as Kerberos Constrained Delegation is available right out of the box, and it doesn’t require a “rocket science” degree to get it working, which some might have considered the case with IAG 2007.
- Network level VPN support, so that users can access the network over PPTP, L2TP/IPsec and SSTP. SSTP is a great solution for Vista SP1 and above clients since it’s a true SSL VPN, providing PPP based connectivity over an SSL link
- Continued support for the Network Connector, which is another true SSL VPN, providing network level access for downlevel clients over an SSL connection. This is helpful if you have clients who need network level access, but they don’t support SSTP or DirectAccess
- Integrated support for Windows 7/Windows Server 2008 R2 DirectAccess. If you don’t know about DirectAccess, now’s the time to start, as it provides transparent VPN-like connectivity without requiring user intervention to establish the connection. The problem is that DirectAccess is extraordinary difficult to get setup and configured, and it has major dependencies on IPv6. UAG beta 2 takes out much of the IPv6 and DirectAccess hassle and provides, right out of the box, integrated support for IPv6 transition technologies so that you can make non-IPv6 resources available to your remote users over the DirectAccess link
- Array support to provide central configuration and high availability for up to 8 members in a UAG array. This included integrated support for NLB, which wasn’t available in IAG 2007. NLB has been enhanced so that UAG represents the only really viable solution for DirectAccess server high availability.
- Tight integration with Threat Management Gateway 2010, where TMG provides the rock solid firewall support to make it possible to put the UAG at the edge of the network. UAG automatically configures TMG firewall policies so that admins never need to worry about the TMG configuration. In fact, as a UAG SSL VPN gateway admin, you should never need to look at the TMG firewall policy or need to move into the TMG console for any reason.
These are just some of the highlights. There’s a lot more in UAG beta 2 to like. It’s very clear that the UAG team spend a tremendous amount of time working on the usability issues that might have stood as barriers to adoption in the IAG 2007 world. Even configuration of the portal interface has been remarkably simplified, so that you don’t need to be a Web programmer and navigate to 20 different places in the file system to get the look and feel of your portals where you want them.
Now, that’s not to say that the UAG is perfect. Nothing is. There are a couple of areas where I think the “unified” aspect of the inbound access gateway approach falls down. There are several inbound access scenarios that aren’t supported by UAG which will require that you deploy another, separate solution to support them (which to me, violates the spirit of the UAG being the single inbound access solution you need):
- No support for VPN Reconnect (aka – IKEv2). There are some scenarios where you might want to support VPN Reconnect. One I can think of is that VPN Reconnect is a great VPN solution for firms who aren’t quite ready to get their DirectAccess solutions working.
- No support for what we refer to as “Server Publishing Rules” in the ISA/TMG world. What about SMTP inbound? What about IMAP4? What about POP3? What about DNS? These are important inbound protocols that will require that we use another device, such as a TMG firewall, to allow inbound. If the goal is a separation of duties so that UAG handles all inbound traffic, and TMG handles outbound traffic, then UAG should support all of TMG’s Server Publishing Rule facilities
- No support for fine-tuned access controls on network level VPN connections. In contrast to the robust support for per user, per group, per protocol, per destination, per time, per content controls you can enforce through TMG network level VPN connections, this functionality isn’t exposed in the UAG interface.
Are these issues enough to make we want to steer clear of the UAG? Not a chance! But these are things I think the UAG team needs to think about so that we can create a clear demarcation of duties between the UAG and the TMG.
Check it out for yourself! You can download UAG beta 2 over at http://www.microsoft.com/downloads/details.aspx?familyid=A3F5729A-3989-4F60-980F-1B87DD198988&displaylang=en
Finally, I encourage you to read the release notes and other system requirements before getting started on your UAG beta 2 quest. I guarantee that the 15 minutes you spend reading them will more than pay off for itself and you’ll avoid silly mistakes like those I made when I began testing my UAG beta 2 deployment.
Let me know what you think of UAG beta 2. Send me your thoughts on UAG beta 2 over at [email protected] and I’ll get them in the newsletter, and if it seems appropriate, share them with the UAG beta 2 team.
See you next month…
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer